Big Data & Analytics Blog

News and views from the team at Keylink

Delivering the Missing Piece of the SIEM Enterprise Security Puzzle

Here’s a little corporate security scenario for you: What if Peter’s building swipe card is used at corporate headquarters in Melbourne, but Peter simultaneously logs into a desktop PC in the Sydney office? I think most people would agree that a security alert should be raised and the situation investigated fairly quickly. It could just be a case of Peter accidentally leaving his swipe card on the desk in Melbourne and asking a colleague to pick it up for him – but maybe something more sinister is happening.

Does your IT security team have this kind of real-time correlation and alerting capability?

In the world of enterprise security software, SIEM is where it’s at. SIEM stands for Security Information and Event Management, and offers organisations just this type of real-time monitoring, correlation of events, notification and reporting.

You’ll notice that correlating events across multiple systems is an essential component of the SIEM approach. What if the desktop PC login in our example above was actually a mainframe TSO login attempt?

There are plenty of great z/OS mainframe security tools on the market (Omegamon anyone?) but the problem is they typically operate in their own information silo where only the mainframe security team has access. Equally the network and midrange security teams often have no expertise with mainframe security data, and literally have to go and ask the mainframe team to help them investigate security incidents.

This makes it almost impossible for most organisations to correlate mainframe incidents with midrange attacks in real-time – and clearly timely response is a major factor in loss and damage prevention.

One of the leading SIEM solutions on the market is Splunk Enterprise Security (ES) named as a leader in the 2016 Gartner SIEM Magic Quadrant report, and a premium add-on for Splunk Enterprise. Splunk ES empower’s your security team with a rich set of pre-built dashboards, reports, incident response workflows with risk scores, quick searches, analytics, correlations and security indicators.

What if you could access the rich trove of mainframe security data using the standard Splunk ES dashboards and workflows?

Now with Syncsort Ironstream you can. Ironstream takes complex mainframe logs and data types, converts them into a Splunk-friendly format, and maps the data into the Splunk Common Information Model (CIM). This gives you a complete view of the security environment across your entire IT infrastructure – including mainframe – from a single pane of glass running Splunk ES and: